CVE-2023-0874 in Klaviyo Plugin
Summary
by MITRE • 04/10/2023
The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/11/2025
The vulnerability identified as CVE-2023-0874 affects the Klaviyo WordPress plugin version 3.0.10 and earlier, presenting a critical security risk through stored cross-site scripting attacks. This flaw specifically targets the plugin's handling of user settings where insufficient sanitization and escaping mechanisms leave the system exposed to malicious input. The vulnerability is particularly concerning because it can be exploited by high-privilege users including administrators, even in environments where the unfiltered_html capability has been restricted, such as in multisite WordPress configurations. The security implications extend beyond simple script execution as they represent a potential gateway for more sophisticated attacks targeting the entire WordPress installation.
The technical flaw manifests in the plugin's failure to properly sanitize user-provided input within its administrative settings interface. When administrators or other high-privilege users configure plugin settings, the input data is not adequately filtered through proper sanitization routines before being stored in the database. This allows malicious scripts to be persistently stored within the plugin's configuration parameters, making them executable whenever the settings are rendered or processed. The vulnerability specifically affects scenarios where WordPress security measures like unfiltered_html restrictions are in place, which typically prevent users from injecting raw HTML or JavaScript code. However, this flaw circumvents such protections by exploiting the plugin's own data handling mechanisms.
The operational impact of CVE-2023-0874 extends far beyond simple XSS execution, creating potential pathways for privilege escalation and persistent malware delivery. Once an attacker gains access through this vulnerability, they can execute malicious scripts in the context of authenticated users' browsers, potentially allowing for session hijacking, data exfiltration, or further compromise of the WordPress environment. In multisite installations, this vulnerability becomes even more dangerous as it could enable attackers to compromise multiple sites within a single network. The stored nature of the vulnerability means that the malicious code persists across server restarts and user sessions, making detection and remediation more challenging. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that should prevent user input from being directly embedded into web responses without proper sanitization.
Mitigation strategies for CVE-2023-0874 require immediate action including upgrading to Klaviyo plugin version 3.0.10 or later, which contains the necessary sanitization fixes. Organizations should also implement additional security measures such as monitoring for unusual administrative activities and conducting thorough security audits of plugin configurations. Regular security scanning of WordPress installations can help identify similar vulnerabilities in other plugins or themes. The remediation process should include reviewing and validating all existing plugin settings to ensure no malicious scripts have been previously stored. Security teams should also consider implementing web application firewalls and content security policies as additional defensive measures. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control communications and privilege escalation, making it a critical target for immediate remediation. The vulnerability demonstrates the importance of proper input validation and output encoding practices as outlined in OWASP secure coding guidelines, particularly in administrative interfaces where privileged users interact with system configuration data.